DHCP stops assigning IP addresses on wan and lan after firewall is enabled. MSR985

lezion_ · ‎08-09-2021

Hi,

My MSR985 ( JH300A ) stops assigning ip addresses as soon as I assign interfaces to the zonal firewall. Service like defined by me ex: wireguard works, but not dhcp, also ipv6 dies, but I presume that can't be configured from the web portal. I have not tried to configure firewall rules from CLI.
Any suggestions would be appreciated!

Thank you

object-group service Dhcp
0 service udp source eq 67 destination eq 67
10 service udp source eq 68 destination eq 68
#
object-group service WireGuard
0 service udp source eq 51820 destination eq 51820
#

object-policy ip Local-Local
rule 0 pass service Dhcp
#
object-policy ip Local-Trust
rule 0 pass service Dhcp
#
object-policy ip Trust-Local
rule 0 pass
#
object-policy ip Trust-Trust
rule 0 pass
#
object-policy ip Trust-Untrust
rule 0 pass
#
object-policy ip Untrust-Trust
rule 0 pass destination-ip VPN_Server service WireGuard
rule 0 comment WireGuard Rule
rule 1 pass service Dhcp
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
security-zone name Services
#
zone-pair security source Local destination Local
object-policy apply ip Local-Local
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Trust
object-policy apply ip Trust-Trust
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#

Ivan_B · ‎08-09-2021

Hi @lezion_ !

DHCP on LAN side:

Modify your object-group service Dhcp to look like this:

object-group service Dhcp
 0 service udp source eq 67
 10 service udp source eq 68

Explanation:

This object-policy defines which traffic to be passed from Local to Trust, e.g. from the DHCP Server in your router to the LAN:

object-policy ip Local-Trust
rule 0 pass service Dhcp

However you allowed only UDP packets:
1. UDP src 67 dst 67
2. UDP src 68 dst 68

This can be the issue, because DHCP OFFER and ACK use UDP: source port=67; destination port=68

DHCP on WAN side:

"zone-pair security source Untrust destination Local" is missing.

I am an HPE employee

lezion_ · ‎08-14-2021

Hi @Ivan_B

It worked for ipv4,

but ipv6 is still crippled. As soon as i unassing the interfaces, ipv6 comesback.

Best

Bartosz

akg7 · ‎09-07-2021

Hello @lezion_,

Just going through the issue details.

Are you still facing the issue?

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company

lezion_ · ‎09-08-2021

Hi @akg7

Unfortunatly IPV6 is stops working when firewall is enabled..

Kind Regards

B

akg7 · ‎09-12-2021

Hello,

We request you to log a case on HPE Support Center portal for further resolution using the link:

https://support.hpe.com/hpesc/public/home/

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

DHCP stops assigning IP addresses on wan and lan after firewall is enabled. MSR985

DHCP stops assigning IP addresses on wan and lan after firewall is enabled. MSR985

Re: DHCP stops assigning IP addresses on wan and lan after firewall is enabled. MSR985

Re: DHCP stops assigning IP addresses on wan and lan after firewall is enabled. MSR985

Re: DHCP stops assigning IP addresses on wan and lan after firewall is enabled. MSR985

Re: DHCP stops assigning IP addresses on wan and lan after firewall is enabled. MSR985

Re: DHCP stops assigning IP addresses on wan and lan after firewall is enabled. MSR985